Public Workshop – Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, May 18-19, 2017

The Food and Drug Administration (FDA), in association with National Science Foundation (NSF) and Department of Homeland Security, Science and Technology (DHS, S&T) is announcing the following public workshop entitled “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis.” The purpose of this workshop is to examine opportunities for FDA engagement with new and ongoing research, catalyze collaboration among Health Care and Public Health (HPH), stakeholders to identify regulatory science challenges, discuss innovative strategies to address those challenges, and encourage proactive development of analytical tools, processes, and best practices by the stakeholder community to strengthen medical device cybersecurity.

Date, Time and Location:

This meeting will be held May 18-19, 2017, beginning at 8:00 am – 5:00 pm at the following location:

FDA White Oak Campus
10903 New Hampshire Avenue
Bldg. 31, Room 1503
Silver Spring, MD, 20993

Entrance for workshop participants (non-FDA employees) is through Building 1 where routine security check procedures will be performed. Parking and security information.


The workshop will not be webcast, but a transcript and slides from the general session will be available on this website in early June 2017.

Additional Information:

Regulatory Science is defined as the science of developing new tools, standards, and approaches to assess the safety, efficacy, quality, and performance of all FDA-regulated products. At the Center for Devices and Radiological Health (CDRH), regulatory science serves to accelerate improving the safety, effectiveness, performance and quality of medical devices and radiation-emitting products, and to facilitate innovative medical devices into the marketplace. The Regulatory Science Subcommittee of the CDRH Center Science Council assessed and prioritized the regulatory science gaps for medical devices based on input from CDRH Offices. Cybersecurity of medical devices was identified as one of the top ten regulatory science gaps. These new regulatory science tools, technologies, and approaches form the bridge to critical advances in public health.

FDA, NSF and DHS, S&T are therefore seeking input to create a framework to address the cybersecurity regulatory science gaps. The scope and nature of this cybersecurity regulatory science research framework is designed to be broad to foster collaboration across all interested stakeholders. The domain is defined by the intersection of safety and security in the design and evolution of medical devices. The objective of the workshop is to facilitate a discussion on the current state of regulatory science in the field of cybersecurity of medical devices, with a focus on patient safety.

The framework may include collaborative research conducted between federal agencies such as NSF, DHS, S&T, academia, medical device industry, and third party experts and other organizations with input from FDA. The collaborative research may include one or more of the following settings.

(a) Intramural cybersecurity research conducted within FDA;
(b) Extramural cybersecurity research in collaboration with other federal agencies (e.g., DHS, S&T); and
(c) Collaborative long term cybersecurity research conducted among federal agencies, NSF, academia, medical device industry, and third party experts and organizations.

Preliminary Agenda

Day and Time


Day 1 (5/18/2017)  
7:30 am Sign-in
8:00 am General session: Introduction and welcome
8:30 am General session: Keynote talks
10:30 am General session: Break
10:45 am General session: Keynote talks
12:15 pm Lunch Break
1:15 pm General session: Keynote talks
2:15 pm Breakout sessions

Breakout session structure:
Discus topic for – 40 mins
Internal group report on findings – 5 min
Discussion – 15 min
Break – 15 min

4:30 pm General session: Next day agenda summary, logistics, etc.
5:00 pm Break for the day
Day 2 (5/19/2017)  
8:30 am General session: Announcements, agenda summary, logistics, etc.
8:45 am Break-out sessions
11:00 am General session: Discuss break-out findings using notes taken during the sessions
12:00 pm Lunch Break
1:00 pm General session: Continued discussion of break-out group findings
2:15 pm Break
2:30 pm General session: Discussion of priorities as recommended by break-out groups, and agreement on key takeaways to be included in the workshop report
4:30 pm General session: Concluding remarks
5:00 pm End of workshop

Potential Topics for Discussion:

The workshop sessions are planned to include a number of short opening plenary talks, followed by multiple simultaneous working sessions organized by broad themes. Attendees are encouraged to participate in at least one working session of their choice providing unique views, insights, and challenges. Each break out session discussion may include following discussion elements:

  1. Immediate cybersecurity challenges and potential solutions to facilitate innovative medical devices into the marketplace;
  2. Cybersecurity regulatory science gaps to which solutions can be developed through additional scientific research; and
  3. Long-term cybersecurity research challenges which may need significant additional basic research.

Following are a list of potential topics that may be discussed during the workshop. Click each item for a brief description.

What is the nature of the intersection of security vulnerabilities and patient safety, e.g., are there specific subsections of the security field which are more relevant to safety than others? What tools (e.g. automated tools), could be leveraged to aid in risk assessment?

Are “traditional” security solutions sufficient or adaptable given that medical devices have long lifetimes, are difficult to service, and must maintain consistent and high availability, especially if devices are life-sustaining or life-preserving? How does the fact that many medical devices are low-power and/or embedded systems with limited power, processing, memory, and other resources affect the security functions which can be incorporated into devices?

How can “traditional” solutions be adapted to home environments given that home networks are potentially untrustworthy and uncontrolled, and do not have a dedicated IT staff? Moreover, how might we address the concern that no network availability or quality of service guarantees are available, and there is no option for emergency network repair in case of problems? 

How do we resolve the conflicts that may arise between facility IT and biomedical engineers due to occasionally contradictory goals of the two groups regarding, e.g., device access control, safety, security, and availability?

Is there an accepted methodology for expressing the security threat environment (e.g., on a network) to which a medical device may be exposed? Is there a better way to consistently communicate the characteristics and severity of vulnerabilities in a clinical context (e.g. CVSS-like rubrics)?

How can device security features be communicated to operators and/or regulators in a way that allows reasoning about the coexistence of many devices from different vendors simultaneously, (e.g., on a shared network), allowing reasoning about systems of devices rather than individual units?

Are there any examples/case studies of what to do and/or what not to do that facilities and/or manufacturers have encountered? Potential areas of discussion include network instructions for use, patch management strategies, articulation of baseline deployment needs (MDS2, etc.), manufacturer capacity to distribute updates in a timely manner, etc.

How can biomedical engineers, IT, and device operators set up and provision devices for maximum security and safety? What kind of potentially unexpected issues might manufacturers, HDOs, and even home users/operators encounter “in the wild”?  

Are there any notable experiences regarding adapting security to deal with e.g., physical and cost limitations from facilities and/or manufacturers? Potential areas of discussion include detection, vulnerability management, asset management, patterns and elements of secure architectures, integration challenges, etc.

Additional topics may be submitted at the time of registration using the comments text field.

Registration to Attend the Workshop:

If you wish to attend this Workshop, you must register by 4:00 pm on May 4, 2017. When registering, you must provide the following information (all fields are required):

There is no fee to register for the Workshop but early registration is recommended seating is limited. FDA may limit the number of participants from each organization. Registrants will receive confirmation when they have been accepted. If time and space permit, onsite registration on the day of the workshop will be provided beginning at 8 a.m. We will let registrants know if registration closes before the day of the workshop.

If you require special accommodations due to a disability, or need additional information regarding registration, please contact Susan Monahan, Office of Communication and Education, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Avenue, Bldg. 32, Silver Spring, MD 20993, 301-796-5661,

Transcripts: Please be advised that as soon as a transcript of the plenary session portion of the public workshop is available, it will be accessible at It may be viewed at the Division of Dockets Management. A link to the transcript will also be available on the internet at (Select this workshop from the posted events list.)

For questions regarding workshop content please contact:

Dinesh Patwardhan, Ph.D., Food and Drug Administration, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave, Bldg. 64 rm. 4076, Silver Spring MD 20993, email:

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *